When the cloud era promised cost-reduction and speed-to-market in the early days, it worked well for startups to build IT in the cloud from scratch without heavy investments upfront. It was not necessarily the case for traditional enterprises as they already had invested in their IT estate along with their staff educated and processes optimized to build and run IT on the premises. Those days are long gone since startups and innovators disrupted the market place of traditional enterprises. Cloud technologies evolved significantly and it is no longer a discussion of cost reduction or operational excellence, but more of new technologies, agility and innovation. Today, some form of cloud adoption is inevitable for any enterprise to thrive, otherwise survive, in the digital era.
In response to that, many run cloud adoption programs in a rush without clear motivations and expertise. I often observed that the cloud was falsely believed as a magical cure to the fatigue of the traditional enterprise. Anyway, lessons learnt, dust settled and the cloud market has matured further. More information and use cases are available today to support strategic thinking and decision making for cloud adoptions. The story is not much different for cyber security and I already discussed fundamental characteristics of cloud security compared to the on-premise approaches (see previous article). Further to that, with the matured cloud market, the developed technology offerings and the learnings from recent adoptions, I am now able to suggest strategic decisions for cyber security as below.
Trust your Provider
Building confidence in cloud security has been a major concern, hence control and assurance frameworks (e.g. ISO27017, CSA STAR, or proprietary) have been used widely to assess the providers. However, the market has converged into a few cloud providers (usually referred as tier-1 providers) those have been investing heavily in technology offerings including cyber security services. These investments are usually much larger than a typical enterprise can afford. They also acquire or integrate specialist vendor services continuously and certify services and infrastructure as per common security assurance and control standards. Therefore, there is not much value to assign scarce resources of the enterprise for security assessment of the tier-1 providers and I suggest trusting them inherently for their due diligence. As a side note, dominant market presence makes them desirable targets for adversaries but there is no case reported yet that their control plane or infrastructure has been compromised. I will come back to that below.
Use the highest level service construct as possible
Offloading technology stacks to service providers (or managed service partners) has been a widely accepted practice so that enterprises can focus on their core business functions. Typical guidance for the cloud is to pursue the utility model; use SaaS (Software-as-a-Service), then PaaS (Platform-as-a-Service), and finally IaaS (Infrastructure-as-a-Service) only if it is inevitable. This approach offloads responsibilities and reduces complexity for the enterprise - which is also good for security. Though, this may not be a simple formula to apply as digital disruption compels enterprises to embrace technology for business differentiation. The suggested decision here is to embrace the utility model for the services or the technology building blocks when they are not business differentiators (e.g. most use SaaS for back office systems such as HR, accounting). When products and services are business differentiators, they naturally require custom development and configuration, and continuously evolve to deliver competitive advantage. Enterprise IT (build & run) therefore is still needed as a key stakeholder in the cloud, keep reading for that discussion.
Segregate cloud(s) and on-premise domains
Segmentation and segregation of environments is a universal security principle. This is to control blast radius in case of security incidents (more on cyber resiliency below), and may also support compliance with security standards (e.g. ISO27001, PCI-DSS, etc.) and privacy regulations (e.g. GDPR). Traditionally, enterprise networks are segmented, such as, DMZ, application layer, data layer, etc., though effective segregation is not always possible due to legitimate integration/communication needs of systems across the segments. Do not falsely consider that a network firewall would do segregation if you have deployed your Windows Active Directory Domain Controllers within different segments/environments (verify user access segregation for this case). The solution here is to architect your environments within isolated domains at all layers as much as possible (physical infrastructure, network, platform, application, data, user access, control plane), and apply technologies to inspect inter-domain communication for the integrated layers.
Prefer cloud native security technologies
Cloud native security technologies are inherently integrated with and optimized for the cloud resources and services, therefore will provide better insights and eliminate the hassle of integration and optimization of proprietary security solutions offered by third party vendors. Consider native encryption, access control, border protection, vulnerability & threat management, and security monitoring and event management services from the product catalogue of your cloud provider. They are all integrated with each other and other services, and will provide better context than any other external solution. Tier-1 cloud providers have been heavily investing in security technologies and offer out-of-the-box intelligence to defend, detect, and respond to adversaries. Following the first strategic decision above suggesting to trust your provider, it is usually better to use cloud native capabilities for security. Controversially, I advocate for using separate tools tailored to the environment rather than trying to consolidate/integrate all services (i.e. cloud & on-premise) into central tools or an IT function. An orchestration layer at the top (this could be an IT process) will be sufficient to coordinate all the tools and activities here.
Catalogue assets in abstract forms and establish common understanding for roles and responsibilities
Another universal security principle is to have the inventory of assets so that they are security-classified and protected accordingly. Asset management in the cloud could be tricky due to the dynamic nature of cloud resources. Abstraction is key here as there is not much value in elaborating assets or configuration items if their attributes are dynamically changing (e.g. automatic scaling to meet demand) or they are ephemeral (e.g. serverless functions). Consider packaging resources or functionalities into higher level constructs that is owned and managed by a particular entity. These higher level constructs can be catalogued as IT assets to be security-classified and protected. The abstraction approach hides complexity of cloud services and facilitates understanding by different stakeholders (e.g. IT-build, IT-Run, business, finance). Accordingly, security activities, roles and responsibilities can be determined and agreed by all parties more easily.
Embrace cyber resiliency
In short, cyber resiliency shifts the focus from protecting the asset to the survival of the mission. This is mainly due to the assumption that component weaknesses are unavoidable for large and complex IT systems and breaches will eventually happen due to the sophisticated nature of advanced persistent threats (APTs). Though, I am appalled to see how the cyber resiliency term is overused recently while many failed to implement basic cyber hygiene across the estate (see CIS 20 critical security controls). Many of the memorable breaches in fact could have been prevented if cyber hygiene security controls had been implemented - I discuss that further in the final part below. Back to cyber resiliency, cloud technologies can adapt to adverse conditions usually better than on premise architectures. The cloud can provide isolated and distributed environments across the globe with redundant components for service resiliency. Also, modern cloud technologies offer immutable and ephemeral services (e.g. containers, serverless functions) that makes the job of adversaries more difficult. I suggest architecting the cloud estate with cyber resiliency in mind, where resiliency is built into system designs, and other cyber security services (defend, detect, respond) are applied proportionally and working in harmony as per the whole context of this article.
Engage an experienced partner for security management
Successful cloud adoptions depend on organisational change leadership, and in most cases broad technical expertise. Speed and agility is important for many but it is unlikely to change the established IT estate with a big bang approach. External partners may help to accelerate the process though as the expertise and experience from other adoptions can be reused. Cyber security may often be seen as trivial in the list of all other cool technologies promising immediate business value, therefore it might be a good idea to engage a partner. Cyber security however is not an isolated construct that can just be outsourced as it often manifests as an inherent attribute of a business service or a product (feature or quality), otherwise a non functional service (risk and compliance). A holistic approach and a well organized structure can solve this problem as I discussed earlier in the Architecting Cyber Security article. In a nutshell, when cyber security is not an inherent attribute of a business service or product, it is better positioned to be offloaded to a specialized partner (e.g. border protection, red-team testing, security monitoring & event management services). It is crucial here to define clear interfaces for technology integration and concise procedures for teams interaction. The model should define responsiveness as a critical success factor as there is no room for more organisational silos and friction between teams. While I suggest engaging an experienced partner, I also emphasize the importance of transferring know-how continuously as the cyber security architecture is ultimately owned by the enterprise as an organisational asset.
In conclusion of all, there is no silver bullet for successful delivery of cyber security in cloud adoption programs, though there are many learnings and case stories developed recently that support strategic thinking and decision making. I consolidated a few suggestions here and looking forward to hearing from you for more.